The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting numerous tweets and email on the subject, and well as a ton of press on the project from eWeek, Dark Reading, ZDNet, and Dennis Fisher at ThreatPost. Jeff Jones posted an announcement on his Security Blog, plus there is coverage by Peter Galli on Microsoft’s Port 25 blog as well! There won’t be a lot of content pushed out next week as we are crazy-busy next week, but this will be a full time effort come May.

On the personal side, I got a couple phone calls again this week. You know, the “My computer is doing FOO, and it stopped working” phone call from friends and family. As sure as the sun rises in the morning, I got another call today from a friend who has their machine infected with some form of malware. IE is completely locked, and when they try to use it now, all they get is an advertisement to purchase AV and anti-malware! After a few hours of someone in the family browsing risky sites and downloading music from dubious locations, it looked like they had managed to get infected with something that was not going to easily surrender. It passed the Eye Chart test, but I was not convinced that it was (or was not) Conficker.

The next question of course is “How do I fix it?” and my response is “stop doing what you did to get it infected in the first place!” The snappy retort does not make me very popular, but why fix it and have them do it again a week later? Almost immediately I feel bad for them and go ahead and fix it. Most of the people who call use their computer to run their business. This is how they make their living. They are hosed. They will lose two or three days of revenue and piss off their clients if they don’t get back up and running ASAP. Can the virus be removed without permanent damage? Maybe, maybe not. A fresh install is probably the only way to be sure you got it. Serious education on what not to do is what it would take to keep it from happening again. Any way you slice it, this is a painful process.

There are a lot of commonalities across this group:

  • They use IE 6.x on Windows.
  • They do not make backups.
  • They do not keep the original software media or software licenses.
  • They use their machines for their business.
  • Their machines run very slowly, and have for a long time.
  • They browse -everywhere-.
  • They have never met an email link they would not click.
  • They download lots of applications and music.
  • They install a lot of free Internet applications just to see what they are.
  • They have never uninstalled a program.
  • They do not run disk cleanup.
  • They have Norton or McAfee.
  • They have malware and adware on the machine.
  • They do online banking.
  • There is no password on the machine.
  • The machine is multi-use by/for all family members.
  • They have never looked at IE settings.
  • They are unaware that there are other browsers.

I feel bad half the time, because I cannot fix the problem without a re-install. When I do re-install, getting the computer to where it was before the infection is a full day’s work … spread out over a week or more. Man do I have sympathy for the corporate IT guys who have to put up with this for a living! “Where are my bookmarks?” “Why does the computer do this?” “I can’t print!” “Why is this over here when it used to be over there?” Part of me wants them to feel a little pain, in order for them to appreciate that performing every risky act on your computer has consequences, but what really needs to happen is some education for the home user. I have been on this topic for some time, and I feel fairly strongly about it. Enough so that I even bought “Security Mike’s Guide to Internet Security” when it was still vapo-bookware to loan to family members to raise their awareness. Not that they would have read it before their computer imploded, but it would be there for them as they waited for InstallShield to complete its tasks. I know that security professionals need to help not just the vendors and IT organizations who have security challenges, but the end users as well. I am going to be cherry-picking a bunch of our old posts and putting them into the new Research Library for end user assistance and tips. Certainly not our focus, but something we will continue to build.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:

Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: I liked Ronald McCarthy’s down-to-earth discussion of Ubuntu Security.
  • Rich: Alex’s comments on Project Quant. Don’t worry Alex, we are all armed with ‘Multitools’ and chewing gum!

Top News and Posts:

  • An Examination of the Twitter Worm.
  • The Verizion Data Breach report is out. It’s good. Read it when you get the chance, but some of the editorial posts are advised as well, such as …
  • Mortman’s Initial thoughts on the Verizion 2009 DBIR.
  • Thoma Bravo is buying Entrust. For about 1.2x revenue. Entrust has solid products and a fairly stable revenue stream from their government sales. I know the stock is dangerously low, revenues are down, times are tough, but $114M seems low.
  • Backbone Hacking Tools to be Unleashed.
  • Pirate Bay Verdict in: Guilty
  • Microsoft Security Bulletin. Mostly standard fixes, but for me, I have to ask the question: how the %@$! could Wordpad allow remote code to execute under ANY circumstances?
  • Nice article on SC Magazine about hackers who were busted in Romania by Romanian authorities and the FBI for credit card fraud. Must have been getting out of hand if the FBI got involved. Since when do pharmaceutical companies store end user credit card data? Have they begun to sell direct?

Blog Comment of the Week:

This week’s best comment was from ds in response to Rich’s post on Security Inevitabilities:

Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely wont be magnetic strips.

…and we’ll still have CC Fraud because there won’t be an infrastructure to allow every possible transaction to be a cardholder present equivelant, so we will still need some way for credit card data to be human interpreted and communicated.